Event Manager for Trend Micro ScanMail

Release Notes

Date Published: October 2009

 
 

 

Event Manager for Trend Micro ScanMail allows you to monitor Trend Micro ScanMail in real-time, highlighting events that may indicate critical issues or potential problems so you can take corrective action quickly. Event Manager for Trend Micro ScanMail monitors computers and ensures any significant condition, such as a virus attack, detected by the antivirus software is communicated to your operations staff in a timely manner. This module also monitors the application and generates alerts when the application is unable to run or deliver alerts.

This module for the Security Manager product includes usability improvements and resolves several previous issues. Many of these improvements were made in direct response to suggestions from our customers. We thank you for your time and valuable input. We hope you continue to help us ensure our products meet all your needs. You can post feedback in the Security Manager forum on Qmunity, our community Web site that also includes product notifications, blogs, and the Security Manager user group.

This document outlines why you should install this module, lists any installation requirements, and identifies any known issues.

Supported Products

This release supports the following products:

  • Trend Micro ScanMail for Microsoft Exchange 7.0
  • Trend Micro ScanMail for Microsoft Exchange 8.0

Return to Top

Why Install This Module?

Event Manager for Trend Micro ScanMail provides support for Trend Micro ScanMail for Microsoft Exchange 7.0 and 8.0. Event Manager for Trend Micro ScanMail monitors events generated by Trend Micro ScanMail, highlighting events that may indicate possible service outages of the virus detection system, as well as virus infections, so you can quickly take corrective or preventative actions. For example, the module provides the following alerts:

  • Alert on failures to the email scanning process
  • Alert on signature update failures
  • Alert when a matching virus signature is found in an email (with configurable option to filter out EICAR test virus events)
  • Alert when Trend Micro ScanMail detects an outbreak condition

In this release, Event Manager for Trend Micro ScanMail includes a number of improvements to increase performance and usability of the module.

Return to Top

System Requirements

The following table lists additional requirements for a Windows agent computer monitoring Trend Micro ScanMail. For more information about agent requirements, see the Installation Guide for NetIQ Security Manager.

Category Requirement
Processor 1.5 GHz Intel Pentium III or equivalent.
Memory 40 MB minimum. The amount of memory usage varies and depends on the environment, including event rate and other factors. Memory usage for a Windows agent monitoring Trend Micro ScanMail could reach 256 MB or higher.
Operating System All supported Windows agent platforms.
Software
  • Ensure you have Security Manager 6.0 Service Pack 4 or later installed.
  • Ensure you have Security Manager Self-Monitoring 6.0 or later installed.
  • Install the Windows agent to monitor Trend Micro ScanMail on a separate computer from the database server or central computer.

Return to Top

Installing This Module

Before you install Event Manager for Trend Micro ScanMail, you must first install Log Manager for Trend Micro ScanMail in order for any event collection to occur. Install this module using the Module Installer utility.

Note
If you previously used the Trend Micro Antivirus module to monitor Trend Micro ScanMail in your environment, ensure you select the new Event Manager for Trend Micro ScanMail module in the Module Installer. The Module Installer displays this module as "Not Installed" because the ScanMail portion of the original module is now a separate module. Install both the new Trend Micro OfficeScan module and the new Trend Micro ScanMail module to obtain all of the features available in the original Trend Micro Antivirus module.

After the installation completes, you can verify successful installation of the module in the Module Installer. Verify the Status column indicates the module is current and the module version listed in the Installed Version column is the same as the version in the Available Version column. For more information about installing modules, see the Installation Guide for NetIQ Security Manager.

Return to Top

Configuring the Trend Micro ScanMail Module

This module does not require any special configuration in the Configuration Wizard, unless you want to disable the default filter on EICAR test virus signature events. If you disable the filter, Security Manager generates alerts and stores matching EICAR test virus events in the OnePoint database. For more information about using the Configuration Wizard, see the User Guide for NetIQ Security Manager.

The processing rules for this module are deployed automatically to agents monitoring Trend Micro ScanMail through the use of attributes and computer groups. However, in order for Security Manager to receive events, you must configure each of the functional areas of Trend Micro ScanMail (Virus, Content Filtering, and Attachment Blocking) to send notifications to the NT Event Log.

To configure Trend Micro ScanMail:

  1. Start the ScanMail Management Console in the Trend Micro ScanMail program folder.
  2. Type the user name and password you set up during installation, and click Enter.
  3. Complete the following steps to configure Trend Micro ScanMail to write virus scanning events to the Windows event log:
    1. In the left pane, click Virus Scanning.
    2. On the Notification tab, under Advanced Notification, select the Write to Windows event log check box.
    3. Click Save.
  4. Complete the following steps to configure Trend Micro ScanMail to write system events to the Windows event log:
    1. In the left pane, expand Alerts, and then click System Events.
    2. Select the check box for all system events you want to log.
    3. Click Save.
    4. Click a checked event name to view its System Alert setup.
    5. Under Advanced Notification, select the Write to Windows event log check box.
    6. Click Save.
    7. In the left pane, click System Events.
    8. Repeat steps d through g for each system event you checked.
  5. Complete the following steps to configure Trend Micro ScanMail to write virus outbreak alerts to the Windows event log:
    1. In the left pane, expand Alerts, and then click Outbreak Alert.
    2. Select the check box for all virus outbreak alerts you want to log.
    3. Click Save.
    4. Click a checked alert name to view its Outbreak Alert setup.
    5. Under Advanced Notification, select the Write to Windows event log check box.
    6. Click Save.
    7. In the left pane, click Outbreak Alert.
    8. Repeat steps d through g for each virus outbreak alert you checked.
  6. Complete the following steps to configure Trend Micro ScanMail to write attachment blocking events to the Windows event log:
    1. In the left pane, click Attachment Blocking.
    2. On the Action tab, under AND, select Notify.
    3. On the Notification tab, under Advanced Notification, select the Write to Windows event log check box.
    4. If you are using Trend Micro ScanMail 7.0, select the Enable real-time attachment blocking check box.
    5. If you are using Trend Micro ScanMail 8.0, select the Enable transport level attachment blocking and Enable store level attachment blocking check boxes.
    6. Click Save.
  7. Complete the following steps to configure Trend Micro ScanMail to write content filtering events to the Windows event log:
    1. In the left pane, click Content Filtering.
    2. Click the name of a rule you want to log, to view its content filtering setup.
    3. On the Action tab, under AND, select Notify.
    4. On the Notification tab, under Advanced Notification, select the Write to Windows event log check box.
    5. Select the Enable this rule check box.
    6. Click Save.
    7. Repeat steps b through f for each content filtering rule you want to log.
    8. If you are using Trend Micro ScanMail 7.0, select the Enable real-time content filtering check box.
    9. If you are using Trend Micro ScanMail 8.0, select the Enable transport level content filtering and Enable store level content filtering check boxes.
    10. Click Save.

Return to Top

Monitoring the Product

You can monitor the product by examining product-specific views in the Security Manager Control Center and Web Console. You can also query stored log data and run Forensic Analysis reports in the Control Center. For more information about views and reports, see the User Guide for NetIQ Security Manager.

Return to Top

Known Issues

NetIQ Corporation strives to ensure our products provide quality solutions for your enterprise software needs. The following issues are currently being researched. If you need further assistance with any issue, contact Technical Support.

Removal of Monitoring Guides

Since monitoring information for updated Security Manager modules is now available in the module release notes, monitoring guides have been discontinued. However, a known issue exists where Security Manager cannot simply remove old monitoring guides when installing updated modules. To reduce the risk of users referencing outdated monitoring guides, Security Manager now replaces the old monitoring guide in the default documentation folder with a blank monitoring guide. Monitoring guides are installed by default in the \Program Files\NetIQ Security Manager\OnePoint\Documentation\Monitoring Guides folder on the central computer, but may have been moved or copied to a different location in your environment. After installing an updated module, you should manually delete any outdated monitoring guides that were copied or moved to other folders.

Module Installer Does Not Show Update

If you are upgrading from the old Trend Micro Antivirus module, the Module Installer shows "Update Available" for Event Manager for Trend Micro OfficeScan, but shows "Not Installed" for Event Manager for Trend Micro ScanMail. When the Trend Micro Antivirus module was separated into the new Trend Micro OfficeScan and Trend Micro ScanMail modules, the Trend Micro OfficeScan module re-used the existing module components. Since the Trend Micro ScanMail module created new components, the Module Installer displays it as a new module. If you want to monitor Trend Micro ScanMail in your environment, ensure you select the new Event Manager for Trend Micro ScanMail module in the Module Installer. (DOC277941)

Configuration Wizard Displays Old Module After Upgrade

If you previously used the Trend Micro Antivirus module and you upgrade to the new Trend Micro ScanMail module without also upgrading to the new Trend Micro OfficeScan module, a known issue exists where the Configuration Wizard continues to display the old Trend Micro Antivirus module. Ensure you install both the new Trend Micro OfficeScan module and the new Trend Micro ScanMail module to obtain all of the features available in the original Trend Micro Antivirus module. (DOC277939)

Old Computer Groups Are Not Removed After Upgrade

If you previously used the Trend Micro Antivirus module and you upgrade to the new Trend Micro ScanMail module, the old computer groups remain and the Security Manager agents continue to populate them. (DOC278134)

Old Objects Are Not Removed After Upgrade

After upgrading this module, Control Center continues to display a large number of attributes, computer groups, and scripts whose names begin with NetIQ::Trend Micro. These objects are safe to ignore, since this module no longer uses them. However, if you have custom content that uses these objects, NetIQ recommends that you discontinue their use or create your own custom attributes and computer groups, because the IDs for those objects may be re-used, replaced, or deleted in future module updates. For more information about creating custom attributes and computer groups, see the User Guide for NetIQ Security Manager.

Empty Legacy Processing Rule Groups

After installing or upgrading to Trend Micro ScanMail, there are two legacy processing rule groups listed in the Development Console: Trend Micro (Legacy) and Support for Trend Micro (Legacy). These processing rule groups are left over from previous versions of the Trend Micro modules, and are no longer functional. (ENG271554)

Return to Top

Contact Information

Please contact us with your questions and comments. We look forward to hearing from you.

For detailed contact information, see the Support Contact Information Web site.

For interactive conversations with your peers and NetIQ experts, become an active member of Qmunity, our community Web site that offers product forums, product notifications, blogs, and user groups.

Return to Top

Legal Notice

Return to Top